Five months feels like time. It is not, not for compliance work
involving risk documentation, conformity assessments, and system
classification decisions that carry penalties reaching
€15 million or 3% of global annual turnover under Article 99.
August 2, 2026 is the date EU AI Act obligations take effect for
high-risk AI systems and transparency requirements for AI-generated
content. The math is straightforward: the Act entered into force
August 1, 2024, and Article 113 sets a 24-month implementation period
for these obligations. There’s no ambiguity in the date.
What “High-Risk” Actually Means
Not every AI system is high-risk under the Act. The designation applies
to systems listed in
Annex III, which covers eight categories:
– Critical infrastructure management (energy, water, transport)
– Education and vocational training (student assessment, admissions)
– Employment and worker management (recruitment, performance evaluation)
– Access to essential private and public services (credit scoring,
insurance risk assessment)
– Law enforcement (risk assessment, evidence evaluation)
– Migration and border control
– Administration of justice
– Democratic processes (political campaign targeting)
If your organization deploys AI that makes or substantially influences
decisions in any of these categories for users in the EU, your systems
require analysis against the Annex III criteria now. The analysis is
not trivial, what counts as “substantially influencing” a decision
has been a source of compliance debate, and your legal team needs to
be involved in making that determination.
What the New Code of Practice Adds
On March 5, 2026, the European Commission published the second draft of
its Code of Practice on Marking and Labelling of AI-generated content,
confirmed by the
EU AI Act Information Platform. This is directly relevant to the
August 2 transparency obligations, which require that AI-generated content
be identifiable as such.
The Code of Practice is implementation guidance, not the law itself,
but it is the most current official signal of how the Commission expects
the transparency requirements to be met in practice. Second draft status
means this is not finalized, and the final version may differ. What it
tells compliance teams right now: the Commission is actively working through
the technical and procedural specifics of content labelling, and
organizations should be building their marking and disclosure
infrastructure against this draft’s requirements while monitoring
for the final version.
Obligations That Apply from August 2
For high-risk AI system providers and deployers, the obligations are
substantial. Under the EU AI Act, they include:
*Risk management systems.* Providers must establish, implement, document,
and maintain a risk management system for each high-risk AI system
throughout its lifecycle.
*Data governance.* Training, validation, and testing data must meet
quality criteria. Data governance practices covering data collection,
preparation, and processing must be documented.
*Technical documentation.* Before a high-risk AI system enters the
market or service, providers must prepare technical documentation
demonstrating compliance.
*Transparency and instructions for use.* High-risk AI systems must be
designed to allow deployers to understand what the system does.
Instructions for use must be provided.
*Human oversight.* High-risk AI systems must be designed to allow
effective human oversight by natural persons during use.
*Accuracy, robustness, and cybersecurity.* High-risk AI systems must
meet performance standards and be resilient against attempts to alter
their behavior through adversarial techniques.
For deployers (organizations using high-risk AI systems built by someone
else), obligations are different but still substantive: conducting
fundamental rights impact assessments, registering the system in the
EU database, implementing human oversight measures, and monitoring
system performance.
The Fine Tier Distinction You Need to Know
A common misreading of the EU AI Act’s penalty structure conflates two
different fine tiers. The €35 million / 7% of global annual turnover
ceiling applies to violations of the Act’s prohibited AI practices,
things like social scoring by public authorities and real-time remote
biometric identification in public spaces. Those prohibitions took
effect February 2, 2025.
The August 2 high-risk AI system obligations carry a lower (but still
substantial) penalty ceiling: up to €15 million or 3% of global annual
turnover for violations. Do not cite the wrong number in your
compliance risk assessments, it affects how your board and leadership
evaluate the exposure.
On the Potential Deadline Extension
Some legal commentary has reported that amendments under discussion in
EU legislative bodies could extend the high-risk rules deadline from
August 2026 to December 2027. Those amendments have not been adopted.
Compliance planning that assumes an extension is available may
leave your organization exposed if the amendment fails or is delayed
further. Treat August 2, 2026 as the operative date. If an extension
is adopted before then, you will have the benefit of additional time
with no compliance cost. If it is not adopted, you will be prepared.
Where to Start If You Haven’t
Three immediate priorities for organizations that have not yet begun
formal EU AI Act compliance work:
First, conduct an inventory of AI systems deployed in the EU and assess
each against Annex III. This is the classification step, and everything
downstream depends on getting it right.
Second, pull the March 5 Code of Practice second draft and assess your
current AI-generated content disclosure practices against it. Transparency
obligations affect any organization producing AI-generated content
for EU audiences, not only high-risk AI system operators.
Third, identify your conformity assessment pathway. High-risk AI systems
generally require either a third-party conformity assessment or a
self-assessment against harmonized standards. ISO/IEC 42001 certification
is one pathway that supports the governance documentation requirements,
see our coverage of the
ISO/IEC 42001 compliance landscape for more context.
The August 2 deadline has been on the horizon long enough that
some compliance teams have been watching without acting. The Commission’s
publication of a second Code of Practice draft is the signal that
implementation is no longer theoretical. The guidance exists.
The deadline is fixed. The obligations are substantial.
Five months is enough time to get this right, if the work
starts now.
*EU AI Act compliance involves legal obligations with significant
financial consequences. Consult qualified legal counsel to determine
whether your AI systems fall under Annex III and to assess your
specific documentation, registration, and conformity assessment
requirements before August 2, 2026. accurate
general guidance; application to specific systems and use cases
requires legal analysis.*